Secure Peer-to-peer Networks for Trusted Collaboration (Invited Paper) Kevin W. Hamlen and Bhavani Thuraisingham Computer Science Department – MS EC31 University of Texas at Dallas 800 W. Campbell Rd. Richardson, Texas 75080-3021, USA fhamlen, [email protected] Abstract—An overview of recent advances in secure peer- of malicious peers. In Section II-C we discuss some of the to-peer networking is presented, toward enforcing data in- issues and open problems in this area. tegrity, confidentiality, availability, and access control policies P2P networks provide the infrastructure to support various in these decentralized, distributed systems. These technologies are combined with reputation-based trust management systems technology applications such as data management, collabora- to enforce integrity-based discretionary access control policies. tion, and decision-making. These in turn support real-world Particular attention is devoted to the problem of developing applications including e-commerce, situation awareness, and secure routing protocols that constitute a suitable foundation for intelligence analysis. Secure P2P networks can be used as a implementing this security system. The research is examined as foundation for supporting trusted applications. In Section III a basis for developing a secure data management system for trusted collaboration applications such as e-commerce, situation we discuss some of our preliminary ideas on hosting a trusted awareness, and intelligence analysis. data manager on the Penny system. In particular, we discuss the issues involved in decamping data management objects I. INTRODUCTION into multiple Penny objects so that the integrity policies can The advent of popular peer-to-peer (P2P) networks like be enforced on the Penny objects. Supporting trusted collabo- Napster [1] and Gnutella [2] has heralded an explosion of ration is briefly discussed in Section IV and we conclude with interest in P2P network design both among researchers and a summary in Section V. practitioners. P2P networks have increased in popularity partly II. SECURE PEER-TO-PEER NETWORKS because they can be implemented atop a diverse collection of hardware and software, making them relatively inexpensive to A. Availability, Integrity and Confidentiality Vulnerabilities deploy and maintain. The network infrastructure also tends P2P networks have developed as a means of evenly bal- to be highly fault-tolerant, and bandwidth and other computa- ancing the computational expense associated with delivering tional resources tend to be well balanced across peers, making network services. In contrast to a traditional network, which the network highly robust. divides its constituent hosts into servers and clients, P2P A robust network design requires that peers in a P2P networks homogeneously treat all hosts as servents, assigning network be considered semi-trusted or untrusted, so to ensure each both server and client functionality. This allows services integrity and confidentiality of shared data it is critical that to be delivered from a large number of servents rather than P2P networks be secure. In recent years there has been a vast from a relatively small number of servers. For example, array of research towards enforcing the security guarantees Napster, Inc. [1] achieved early commercial success using necessary to achieve system-wide, end-to-end security policies P2P technology to serve music content to users by storing in P2P networks (c.f., [3], [4]). Recently we have designed the most of that content on end-user machines rather than on Penny system [5], which combines several of these advances centralized servers. This reduced costs, improved reliability, to efficiently enforce strong data integrity policies in structured and greatly expanded the variety of content that they could P2P networks. offer. Subsequently, P2P has been used for general-purpose This paper describes secure P2P networks and their support file-sharing in popular implementations such as Gnutella [2], for building trusted applications. We first discuss our approach KaZaA [8], LimeWire [9], and many others. to enforcing integrity policies in Penny in Section II. Penny From a security standpoint, P2P networks ostensibly offer implements a reputation-based trust management system based inherent robustness and availability properties not easy to on EigenTrust [6] in the context of a Chord network [7]. One achieve in a traditional network design. For example, an of the most challenging aspects of developing a secure P2P attacker wishing to effect a denial of service in a traditional network is establishing a secure routing structure over which network can focus her attack on a relatively small number messages and data can reliably be exchanged in the presence of centralized servers, whereas in a P2P network the attacker must compromise a relatively large number of servents in order load-balancing issues in large networks, argues that P2P secu- to fully disconnect the network. rity should be a high priority for cyber-security researchers. However, in practice many P2P networks remain vulnerable to denial of service attacks because the homogeneity of the B. Reputation-based Trust Management network results in greater interdependence among hosts. For Reputation-based trust management has emerged as an example, in a Chord network [7], any pair of peers who extremely promising technology for addressing many of these wish to communicate must trust the O(log n) other peers security vulnerabilities without sacrificing the load-balancing who constitute the initial routing path between them through advantages of decentralization. A trust management system the network overlay (where n is the number of peers in the maintains a global trust label ta for each agent a in the network). These hosts are chosen deterministically by the network. When the system is reputation-based, label ta is an routing protocol, so to disconnect the two hosts it suffices to aggregation of the local opinions of all agents in the network compromise any one of these O(log n) peers. In general, this based on their prior experiences with agent a. To compute means that compromising one host in a Chord network pre- ta, each opinion of agent a is weighted by the reputation vents numerous hosts from communicating even if it does not of the opiner, so that agents with good reputations are more disconnect the entire network. Other protocols like CAN [10], influential than those with poor reputations or no reputation. Pastry [11], and Tapestry [12] have similar vulnerabilities of A goal of the trust management system is to allow only non- varying severity. malicious peers to accrue good reputations with high proba- Many existing P2P networks also suffer from serious data bility. This allows non-malicious agents to easily identify ma- integrity vulnerabilities because it is easy for peers in the licious agents and potentially censor them from transactions. network to lie to other peers about the data they serve. Peers For example, a file served from a disreputable peer might be can therefore spread corrupt content and malware merely by assigned a low integrity label by the receiving host. Similarly, publishing it under a misleading name or with false keywords. the routing protocol might avoid forwarding messages via Unsuspecting peers then download and propagate this low- disreputable peers. Thus, tracking global reputations allows integrity data to other peers. Such vulnerabilities are a major each peer to benefit from the experiences of all other peers in issue for real-world P2P implementations today. For example, the network. two studies published in 2006 detected malware in as much as Although trust labels are global, they can be maintained 68% of all executable content exchanged over KaZaA [13] and in a decentralized setting via replication. For example, in in 15% of all files exchanged over Limewire [14]. Integrity the EigenTrust system [6] each agent’s global trust label is violations are therefore a significant concern for owners, tracked by k distinct peers (where k is a constant defined administrators, and users of these networks. at network initialization). These k peers are referred to as Confidentiality is often cited by P2P users as an appealing the agent’s score-managers. Peers report feedback to all k advantage of P2P networks, but in reality strong confidentiality of agent a’s score-managers after each transaction with agent guarantees are deceptively difficult to attain. The confiden- a, thereby updating ta. When agent a participates in many tiality desired by P2P users typically comes in two forms: positive transactions, ta therefore increases. Data confidentiality policies prohibit the leaking of high- Label ta can be retrieved by any peer by contacting all k confidentiality, shared objects to low-privileged peers, while score-managers and computing the median of their responses. user anonymity policies prohibit the divulging of a user’s Thus, subverting an agent’s reputation requires subverting at private information. Such private information might include least k=2 of the agent’s score-managers, which is difficult login credentials, a history of files shared or downloaded, or a when k is large. Score-managers of agent a are chosen by list of the peers with which a user has interacted in the past. applying a secure hash function to agent a’s IP number, so Standard P2P network designs do not directly support either that agents can choose neither their score-managers nor the of these classes of security policies. Data confidentiality is not agents for whom they act as score-manager. This prevents a supported because shared objects are all public in today’s P2P malicious collective from subverting an agent’s reputation by networks, and can therefore be downloaded freely by untrusted becoming score-managers for agent a. peers. User anonymity is not supported because without a cen- In recent work [5] we showed that reputation-based trust tral authority, login credentials and other private information management can be leveraged to enforce strong data integrity must typically be divulged to a variety of other peers during policies in P2P networks.